---
title: Integrations
description: A cheatsheet of core actions, integrations, and credentials supported by Tracecat.
---

## Core Actions

<Note>Core action namespaces are prefixed with `core.`.</Note>

| Namespace      | Function        | Secrets |
| -------------- | --------------- | ------- |
| core           | http_poll       | `ssl`   |
| core           | http_request    | `ssl`   |
| core           | require         | -       |
| core           | send_email_smtp | `smtp`  |
| core.sql       | execute_query   | `sql`   |
| core.cases     | create_case     | -       |
| core.cases     | create_comment  | -       |
| core.cases     | get_case        | -       |
| core.cases     | list_cases      | -       |
| core.cases     | list_comments   | -       |
| core.cases     | update_case     | -       |
| core.cases     | update_comment  | -       |
| core.cases     | search_cases    | -       |
| core.script    | run_python      | -       |
| core.table     | delete_row      | -       |
| core.table     | insert_row      | -       |
| core.table     | lookup          | -       |
| core.table     | lookup_many     | -       |
| core.table     | update_row      | -       |
| core.transform | apply           | -       |
| core.transform | deduplicate     | -       |
| core.transform | filter          | -       |
| core.transform | is_in           | -       |
| core.transform | map             | -       |
| core.transform | not_in          | -       |
| core.transform | reshape         | -       |
| core.workflow  | execute         | -       |

## AI Actions

| Namespace      | Function        | Secrets |
| -------------- | --------------- | ------- |
| ai             | action          | -       |
| ai             | agent           | -       |
| ai             | slackbot        | -       |

## Integrations

<Note>Integration namespaces are prefixed with `tools.`.</Note>

### Workspace Variables for Base URLs

Many integrations support workspace variables for base URLs, allowing you to configure them once at the workspace level instead of repeating them in every workflow action.

**Supported integrations:**
- Splunk: `VARS.splunk.base_url`
- Elasticsearch: `VARS.elasticsearch.base_url`
- Okta: `VARS.okta.base_url`
- SentinelOne: `VARS.sentinel_one.base_url`
- Jira: `VARS.jira.base_url`
- Gophish: `VARS.gophish.base_url`
- And many more (alertmedia, datadog, elastic_security, okta_oar, ollama, openai, sublime, wazuh)

**How it works:**
1. Create a workspace variable with the integration name (e.g., `splunk`) and key `base_url`
2. Set the value to your instance URL (e.g., `https://splunk.example.com:8089`)
3. In workflow actions, the `base_url` input is now optional and will use the workspace variable as a fallback
4. You can still override the workspace variable by explicitly providing a `base_url` in specific actions

**Example:**
```yaml
# Workspace variable: splunk.base_url = https://splunk.example.com:8089
# Action will use the workspace variable
- ref: search_splunk
  action: tools.splunk.search_events
  args:
    query: "search index=main error"
    # base_url not needed - uses VARS.splunk.base_url

# Or override for specific actions
- ref: search_different_instance
  action: tools.splunk.search_events
  args:
    query: "search index=main error"
    base_url: https://splunk-dev.example.com:8089  # Explicit override
```

| Namespace              | Function                                | Secrets                   |
| ---------------------- | --------------------------------------- | ------------------------- |
| tools.alertmedia       | create_trip                             | `alertmedia`, `ssl`       |
| tools.alertmedia       | delete_trip                             | `alertmedia`, `ssl`       |
| tools.alertmedia       | get_travel_events                       | `alertmedia`, `ssl`       |
| tools.alertmedia       | get_user_trip_by_id                     | `alertmedia`, `ssl`       |
| tools.alertmedia       | get_user_trips                          | `alertmedia`, `ssl`       |
| tools.alertmedia       | search_trips                            | `alertmedia`, `ssl`       |
| tools.alertmedia       | search_users                            | `alertmedia`, `ssl`       |
| tools.alertmedia       | update_trip                             | `alertmedia`, `ssl`       |
| tools.amazon_s3        | download_object                         | `amazon_s3`               |
| tools.amazon_s3        | parse_uri                               | `amazon_s3`               |
| tools.ansible          | run_playbook                            | `ansible`                 |
| tools.aws_boto3        | call_api                                | `aws`                     |
| tools.aws_boto3        | call_paginated_api                      | `aws`                     |
| tools.crowdsec         | lookup_ip_address                       | `crowdsec_cti`, `ssl`     |
| tools.crowdstrike      | list_alerts                             | `crowdstrike`             |
| tools.crowdstrike      | list_cases                              | `crowdstrike`             |
| tools.crowdstrike      | list_detects                            | `crowdstrike`             |
| tools.datadog          | list_security_signals                   | `datadog`, `ssl`          |
| tools.elastic_security | list_detection_signals                  | `elastic_security`, `ssl` |
| tools.falconpy         | call_command                            | `crowdstrike`             |
| tools.google_api       | get_access_token                        | `google_api`              |
| tools.google_maps      | get_location_data                       | `google_maps`, `ssl`      |
| tools.gophish          | create_campaign             | `gophish`                 |
| tools.gophish          | create_group                | `gophish`                 |
| tools.gophish          | create_landing_page         | `gophish`                 |
| tools.gophish          | create_sending_profile      | `gophish`                 |
| tools.gophish          | create_template             | `gophish`                 |
| tools.gophish          | delete_campaign             | `gophish`                 |
| tools.gophish          | delete_group                | `gophish`                 |
| tools.gophish          | delete_landing_page         | `gophish`                 |
| tools.gophish          | delete_sending_profile      | `gophish`                 |
| tools.gophish          | delete_template             | `gophish`                 |
| tools.gophish          | get_campaign                | `gophish`                 |
| tools.gophish          | get_campaign_results        | `gophish`                 |
| tools.gophish          | get_campaign_summary        | `gophish`                 |
| tools.gophish          | get_group                   | `gophish`                 |
| tools.gophish          | get_group_summary           | `gophish`                 |
| tools.gophish          | get_landing_page            | `gophish`                 |
| tools.gophish          | get_sending_profile         | `gophish`                 |
| tools.gophish          | get_template                | `gophish`                 |
| tools.gophish          | list_campaigns              | `gophish`                 |
| tools.gophish          | list_groups                 | `gophish`                 |
| tools.gophish          | list_groups_summary         | `gophish`                 |
| tools.gophish          | list_landing_pages          | `gophish`                 |
| tools.gophish          | list_sending_profiles       | `gophish`                 |
| tools.gophish          | list_templates              | `gophish`                 |
| tools.gophish          | modify_group                | `gophish`                 |
| tools.gophish          | modify_landing_page         | `gophish`                 |
| tools.gophish          | modify_sending_profile      | `gophish`                 |
| tools.gophish          | modify_template             | `gophish`                 |
| tools.hackerone        | get_program                             | `hackerone`, `ssl`        |
| tools.hackerone        | get_programs                            | `hackerone`, `ssl`        |
| tools.hackerone        | get_report                              | `hackerone`, `ssl`        |
| tools.hackerone        | get_reports                             | `hackerone`, `ssl`        |
| tools.hibp             | check_email_breaches                    | `hibp`, `ssl`             |
| tools.hibp             | check_email_pastes                      | `hibp`, `ssl`             |
| tools.hibp             | get_all_breaches                        | `ssl`                     |
| tools.hibp             | get_breach_details                      | `ssl`                     |
| tools.hibp             | get_data_classes                        | `ssl`                     |
| tools.hibp             | get_latest_breach                       | `ssl`                     |
| tools.ipinfo           | lookup_ip_address                       | `ipinfo`, `ssl`           |
| tools.jira             | add_issue_comment                       | `jira`, `ssl`             |
| tools.jira             | assign_issue                            | `jira`, `ssl`             |
| tools.jira             | create_issue                            | `jira`, `ssl`             |
| tools.jira             | get_fields                              | `jira`, `ssl`             |
| tools.jira             | get_issue                               | `jira`, `ssl`             |
| tools.jira             | get_priorities                          | `jira`, `ssl`             |
| tools.jira             | get_priority_schemes                    | `jira`, `ssl`             |
| tools.jira             | get_projects                            | `jira`, `ssl`             |
| tools.jira             | get_transitions                         | `jira`, `ssl`             |
| tools.jira             | get_user_id                             | `jira`, `ssl`             |
| tools.jira             | search_issues                           | `jira`, `ssl`             |
| tools.jira             | update_issue_description                | `jira`, `ssl`             |
| tools.jira             | update_issue_fields                     | `jira`, `ssl`             |
| tools.jira             | update_issue_status                     | `jira`, `ssl`             |
| tools.jira             | upload_attachment                       | `jira`, `ssl`             |
| tools.ldap             | add_entry                               | `ldap`                    |
| tools.leakcheck        | search_domain_leak                      | `leakcheck_api`           |
| tools.leakcheck        | search_email_leak                       | `leakcheck_api`           |
| tools.ldap             | delete_entry                            | `ldap`                    |
| tools.ldap             | modify_entry                            | `ldap`                    |
| tools.ldap             | search_entries                          | `ldap`                    |
| tools.okta             | activate_user                           | `okta`, `ssl`             |
| tools.okta             | add_to_group                            | `okta`, `ssl`             |
| tools.okta             | assign_group_to_app                     | `okta`, `ssl`             |
| tools.okta             | clear_user_sessions                     | `okta`, `ssl`             |
| tools.okta             | create_user                             | `okta`, `ssl`             |
| tools.okta             | expire_password                         | `okta`, `ssl`             |
| tools.okta             | expire_password_with_temporary_password | `okta`, `ssl`             |
| tools.okta             | get_group_members                       | `okta`, `ssl`             |
| tools.okta             | get_groups_assigned_to_user             | `okta`, `ssl`             |
| tools.okta             | get_user                                | `okta`, `ssl`             |
| tools.okta             | list_groups_in_org                      | `okta`, `ssl`             |
| tools.okta             | list_users                              | `okta`, `ssl`             |
| tools.okta             | lookup_user_by_email                    | `okta`, `ssl`             |
| tools.okta             | remove_from_group                       | `okta`, `ssl`             |
| tools.okta             | reset_password                          | `okta`, `ssl`             |
| tools.okta             | revoke_sessions                         | `okta`, `ssl`             |
| tools.okta             | search_users                            | `okta`, `ssl`             |
| tools.okta             | suspend_user                            | `okta`, `ssl`             |
| tools.okta             | unsuspend_user                          | `okta`, `ssl`             |
| tools.okta_oar         | create_message                          | `okta`, `ssl`             |
| tools.okta_oar         | get_requests                            | `okta`, `ssl`             |
| tools.okta_oar         | get_specific_request                    | `okta`, `ssl`             |
| tools.okta_oar         | get_user                                | `okta`, `ssl`             |
| tools.pagerduty        | acknowledge_event                       | -                         |
| tools.pagerduty        | get_all_schedules                       | `pagerduty`               |
| tools.pagerduty        | get_contact_methods                     | `pagerduty`               |
| tools.pagerduty        | get_incident_data                       | `pagerduty`               |
| tools.pagerduty        | get_incidents                           | `pagerduty`               |
| tools.pagerduty        | get_user_notification_rules             | `pagerduty`               |
| tools.pagerduty        | get_users_on_call                       | `pagerduty`               |
| tools.pagerduty        | resolve_event                           | `pagerduty`               |
| tools.pagerduty        | trigger_event                           | -                         |
| tools.phishlabs        | get_case_data                           | `phishlabs`               |
| tools.phishlabs        | get_feed_data                           | `phishlabs`               |
| tools.phishlabs        | get_threat_data                         | `phishlabs`               |
| tools.pymongo          | execute_operation                       | `mongodb`                 |
| tools.rootly           | create_alert                            | `rootly`                  |
| tools.rootly           | create_incident                         | `rootly`                  |
| tools.rootly           | get_alert                               | `rootly`                  |
| tools.rootly           | get_incident                            | `rootly`                  |
| tools.rootly           | list_alerts                             | `rootly`                  |
| tools.rootly           | list_incident_alerts                    | `rootly`                  |
| tools.rootly           | list_incidents                          | `rootly`                  |
| tools.sentinel_one     | list_threats                            | `sentinel_one`, `ssl`     |
| tools.slack            | ask_text_input                          | `slack`                   |
| tools.slack            | lookup_user_by_email                    | `slack`                   |
| tools.slack            | post_message                            | `slack`                   |
| tools.slack            | post_notification                       | `slack`                   |
| tools.slack            | post_update                             | `slack`                   |
| tools.slack            | revoke_sessions                         | `slack`                   |
| tools.slack_sdk        | call_method                             | `slack`                   |
| tools.slack_sdk        | call_paginated_method                   | `slack`                   |
| tools.splunk           | add_kv_fields                           | `splunk`, `ssl`           |
| tools.splunk           | create_kv_collection                    | `splunk`, `ssl`           |
| tools.splunk           | create_kv_entry                         | `splunk`, `ssl`           |
| tools.splunk           | delete_kv_collection                    | `splunk`, `ssl`           |
| tools.splunk           | delete_kv_entry                         | `splunk`, `ssl`           |
| tools.splunk           | discover_fields                         | `splunk`, `ssl`           |
| tools.splunk           | get_kv_collection                       | `splunk`, `ssl`           |
| tools.splunk           | get_kv_entry                            | `splunk`, `ssl`           |
| tools.splunk           | list_data_models                        | `splunk`, `ssl`           |
| tools.splunk           | list_field_extractions                  | `splunk`, `ssl`           |
| tools.splunk           | list_indexes                            | `splunk`, `ssl`           |
| tools.splunk           | list_kv_collections                     | `splunk`, `ssl`           |
| tools.splunk           | list_kv_entries                         | `splunk`, `ssl`           |
| tools.splunk           | list_sourcetypes                        | `splunk`, `ssl`           |
| tools.splunk           | search_events                           | `splunk`, `ssl`           |
| tools.splunk           | submit_hec_event                        | `splunk_hec`, `ssl`       |
| tools.splunk           | update_kv_entry                         | `splunk`, `ssl`           |
| tools.threatstream     | lookup_domain                           | `ssl`, `threatstream`     |
| tools.threatstream     | lookup_email                            | `ssl`, `threatstream`     |
| tools.threatstream     | lookup_file_hash                        | `ssl`, `threatstream`     |
| tools.threatstream     | lookup_ip_address                       | `ssl`, `threatstream`     |
| tools.threatstream     | lookup_url                              | `ssl`, `threatstream`     |
| tools.urlscan          | lookup_url                              | `ssl`, `urlscan`          |
| tools.virustotal       | lookup_domain                           | `ssl`, `virustotal`       |
| tools.virustotal       | lookup_file_hash                        | `ssl`, `virustotal`       |
| tools.virustotal       | lookup_ip_address                       | `ssl`, `virustotal`       |
| tools.virustotal       | lookup_url                              | `ssl`, `virustotal`       |
| tools.wazuh            | active_response                         | `ssl`, `wazuh_wui`        |
| tools.wazuh            | update_agents                           | `ssl`, `wazuh_wui`        |
| tools.zendesk          | get_group_users                         | `zendesk`, `ssl`          |
| tools.zendesk          | get_groups                              | `zendesk`, `ssl`          |
| tools.zendesk          | get_ticket                              | `zendesk`, `ssl`          |
| tools.zendesk          | get_ticket_attachments                  | `zendesk`, `ssl`          |
| tools.zendesk          | get_ticket_comments                     | `zendesk`, `ssl`          |
| tools.zendesk          | get_twilio_recordings                   | `zendesk`, `ssl`          |
| tools.zendesk          | search_tickets                          | `zendesk`, `ssl`          |

## Credentials

<Note>
  Tracecat uses secret keys associated with each integration for 3rd-party
  authentication. Find out more about how secrets work in Tracecat
  [here](/quickstart/secrets).
</Note>

| Secret Name            | Required Keys                                                                  | Optional Keys                                                                                                      |
| ---------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ |
| `alertmedia`           | `ALERTMEDIA_API_KEY`                                                           | -                                                                                                                  |
| `amazon_s3`            | -                                                                              | `AWS_ACCESS_KEY_ID` `AWS_PROFILE` `AWS_REGION` `AWS_ROLE_ARN` `AWS_ROLE_SESSION_NAME` `AWS_SECRET_ACCESS_KEY`      |
| `ansible`              | `ANSIBLE_SSH_KEY`                                                              | `ANSIBLE_PASSWORDS`                                                                                                |
| `aws`                  | -                                                                              | `AWS_ACCESS_KEY_ID` `AWS_PROFILE_NAME` `AWS_REGION` `AWS_ROLE_ARN` `AWS_ROLE_SESSION_NAME` `AWS_SECRET_ACCESS_KEY` |
| `check_point_infinity` | `CHECKPOINT_ACCESS_KEY` `CHECKPOINT_CLIENT_ID`                                 | -                                                                                                                  |
| `crowdsec_cti`         | `CTI_API_KEY`                                                                  | -                                                                                                                  |
| `crowdstrike`          | `CROWDSTRIKE_CLIENT_ID` `CROWDSTRIKE_CLIENT_SECRET`                            | -                                                                                                                  |
| `datadog`              | `DATADOG_API_KEY` `DATADOG_APP_KEY`                                            | -                                                                                                                  |
| `elastic_security`     | `ELASTIC_API_KEY`                                                              | -                                                                                                                  |
| `gophish`              | `GOPHISH_API_KEY`                                                              | -                                                                                                                  |
| `google_api`           | `GOOGLE_API_CREDENTIALS`                                                       | -                                                                                                                  |
| `google_maps`          | `GOOGLE_MAPS_API_KEY`                                                          | -                                                                                                                  |
| `hackerone`            | `HACKERONE_API_USERNAME` `HACKERONE_API_TOKEN`                                 | -                                                                                                                  |
| `hibp`                 | `HIBP_API_KEY`                                                                 | -                                                                                                                  |
| `ipinfo`               | `IPINFO_API_TOKEN`                                                             | -                                                                                                                  |
| `jamf`                 | `JAMF_CLIENT_ID` `JAMF_CLIENT_SECRET`                                          | -                                                                                                                  |
| `jira`                 | `JIRA_API_TOKEN` `JIRA_USEREMAIL`                                              | -                                                                                                                  |
| `kubernetes`           | `KUBECONFIG_BASE64`                                                            | -                                                                                                                  |
| `ldap`                 | `LDAP_HOST` `LDAP_PASSWORD` `LDAP_PORT` `LDAP_USER`                            | -                                                                                                                  |
| `microsoft_graph`      | `MICROSOFT_GRAPH_CLIENT_ID` `MICROSOFT_GRAPH_CLIENT_SECRET`                    | -                                                                                                                  |
| `mongodb`              | `MONGODB_CONNECTION_STRING`                                                    | -                                                                                                                  |
| `okta`                 | `OKTA_API_TOKEN`                                                               | -                                                                                                                  |
| `openai`               | `OPENAI_API_KEY`                                                               | -                                                                                                                  |
| `opencti`              | `OPENCTI_API_TOKEN`                                                            | -                                                                                                                  |
| `pagerduty`            | `PAGERDUTY_API_TOKEN`                                                          | -                                                                                                                  |
| `phishlabs`            | `PL_CLIENT_ID` `PL_CLIENT_SECRET` `PL_CUSTOMER_ID` `PL_PASSWORD` `PL_USERNAME` | -                                                                                                                  |
| `rootly`               | `ROOTLY_API_KEY`                                                               | -                                                                                                                  |
| `sentinel_one`         | `SENTINEL_ONE_API_TOKEN`                                                       | -                                                                                                                  |
| `slack`                | `SLACK_BOT_TOKEN`                                                              | -                                                                                                                  |
| `smtp`                 | `SMTP_HOST` `SMTP_PASS` `SMTP_PORT` `SMTP_USER`                                | -                                                                                                                  |
| `splunk`               | `SPLUNK_API_KEY`                                                               | -                                                                                                                  |
| `splunk_hec`           | `SPLUNK_HEC_TOKEN`                                                             | -                                                                                                                  |
| `ssl`                  | -                                                                              | `SSL_CLIENT_CERT` `SSL_CLIENT_KEY` `SSL_CLIENT_PASSWORD`                                                           |
| `thehive`              | `THEHIVE_API_KEY`                                                              | -                                                                                                                  |
| `threatstream`         | `ANOMALI_API_KEY` `ANOMALI_USERNAME`                                           | -                                                                                                                  |
| `urlscan`              | `URLSCAN_API_KEY`                                                              | -                                                                                                                  |
| `virustotal`           | `VIRUSTOTAL_API_KEY`                                                           | -                                                                                                                  |
| `wazuh_wui`            | `WAZUH_WUI_PASSWORD` `WAZUH_WUI_USERNAME`                                      | -                                                                                                                  |
| `wiz`                  | `WIZ_CLIENT_ID` `WIZ_CLIENT_SECRET`                                            | -                                                                                                                  |
| `zendesk`              | `ZENDESK_EMAIL` `ZENDESK_API_TOKEN`                                            | -                                                                                                                  |
